moving APs from one WLC to another

apbahar · ‎02-29-2016

Hi tech gurus,

I am now planning to move number of APs from one local WLC (2500) to a central WLC (5500). Both set of APs are AIR-CAP2602I-Z-K9. I figured I need to create a new group.

But I was told the local one is using LEAP and the central one is using PEAP-MsCHAP on server side. Client side certificates are not implemented yet.

Is there any technical issues you can see to move APs from local WLC2500 to central WLC 5500?

Thank you,

George Stefanick · ‎02-29-2016

Yes you have some concerns. where is leap and peap being authenticated ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

apbahar · ‎02-29-2016

There is a an ISE server for central WLC. The local one is using another radius. If that is what you are asking...

George Stefanick · ‎02-29-2016

When doing radius (EAP) the authenticator , in this case the wlc, doesn't care what EAP type you use. It simple just passes it along to the radius server. That said your client and radius server talk and wlc waits for a success or failure.

I think my concern would be how your clients are configured. What type of clients. Is your peap cert signed by a CA or internal PKI. Etc ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

apbahar · ‎02-29-2016

There is no client side certificates implemented. All I am told is there is PEAP-MsCHAP on server side.

George Stefanick · ‎02-29-2016

That assumed if your doing peap, no client side certs. Unless you would do peap v2 TLS.

That all said if you switch over and if your clients are configured for leap then yes I expect you will have some problems. I assume your WLAN name will be the same as the 2500 wlc ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

apbahar · ‎02-29-2016

OK, I am quite new into this. As far as I read in google, there should have been some paid certificates purchased for PEAP. There is no such thing in the company. None of the users' laptops are configured with any additional certificate (for the users on central WLC ) I don't see any PEAP configuration on WLC either.

So I am having difficulty to understand what is it that possibly impact users on local WLC once they move onto central WLC? Can they login just like how the users on central WLC log in? It is the same company, same LDAP, same SSID...

sbhadrav@cisco.com · ‎02-25-2018

AP groups do not allow multicast roaming across group boundaries. AP groups allow APs on the same controller to map the same WLAN (SSID) to different VLANs. If a client roams between APs in different groups, the multicast session does not function properly because this is currently not supported. Currently, the WLC forwards multicast only for the VLAN configured on the WLAN and does not take into consideration VLANs configured in AP groups.

This list shows the maximum number of AP groups that you can configure on a WLC:

A maximum of 50 access point groups for the Cisco 2100 Series Controller and controller network modules.

A maximum of 300 access point groups for the Cisco 4400 Series Controllers, Cisco WiSM, and Cisco 3750G Wireless LAN Controller Switch.

A maximum of 500 access point groups for Cisco 5500 Series Controllers.